Support Content Notification - Support Portal

USN-6621-1: ImageMagick vulnerability

Product/Component

Notification Id

24670

Last Updated

15 July 2024

Initial Publication Date

15 July 2024

Status

CLOSED

Severity

MEDIUM

CVSS Base Score

WorkAround

Affected CVE

CVE-2023-5341

Severity

medium

Vendor

VMware Tanzu

Versions Affected

Canonical Ubuntu 22.04
Cflinuxfs4

Description

It was discovered that ImageMagick incorrectly handled certain values when processing BMP files. An attacker could exploit this to cause a denial of service. Update Instructions: Run `sudo pro fix USN-6621-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick-common - 8:6.8.9.9-7ubuntu5.16+esm10 libmagickcore-6.q16-dev - 8:6.8.9.9-7ubuntu5.16+esm10 libmagickcore-dev - 8:6.8.9.9-7ubuntu5.16+esm10 imagemagick - 8:6.8.9.9-7ubuntu5.16+esm10 imagemagick-doc - 8:6.8.9.9-7ubuntu5.16+esm10 libmagickwand-dev - 8:6.8.9.9-7ubuntu5.16+esm10 libmagickcore-6.q16-2-extra - 8:6.8.9.9-7ubuntu5.16+esm10 libmagick++-6-headers - 8:6.8.9.9-7ubuntu5.16+esm10 libimage-magick-q16-perl - 8:6.8.9.9-7ubuntu5.16+esm10 libimage-magick-perl - 8:6.8.9.9-7ubuntu5.16+esm10 libmagick++-dev - 8:6.8.9.9-7ubuntu5.16+esm10 imagemagick-6.q16 - 8:6.8.9.9-7ubuntu5.16+esm10 libmagick++-6.q16-5v5 - 8:6.8.9.9-7ubuntu5.16+esm10 perlmagick - 8:6.8.9.9-7ubuntu5.16+esm10 libmagickwand-6.q16-2 - 8:6.8.9.9-7ubuntu5.16+esm10 libmagickcore-6-arch-config - 8:6.8.9.9-7ubuntu5.16+esm10 libmagick++-6.q16-dev - 8:6.8.9.9-7ubuntu5.16+esm10 libmagickwand-6.q16-dev - 8:6.8.9.9-7ubuntu5.16+esm10 libmagickcore-6-headers - 8:6.8.9.9-7ubuntu5.16+esm10 libmagickwand-6-headers - 8:6.8.9.9-7ubuntu5.16+esm10 libmagickcore-6.q16-2 - 8:6.8.9.9-7ubuntu5.16+esm10 Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro.

Fixed VMware Products and Versions

Cflinuxfs3

0.385.0 or greater

Jammy Stemcells

1.360 or greater

Isolation Segment

2.11.48 or greater
2.13.33 or greater

VMware Tanzu Application Service for VMs

2.11.54 or greater
2.13.36 or greater

References

https://ubuntu.com/security/notices/USN-6621-1

https://www.cloudfoundry.org/blog/usn-6621-1

https://cve.mitre.org/cgi-bin/cvename.cgi?name=usn-6621-1

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24670

History

2024-02-01: Initial vulnerability report published.